Microsoft Cloud Account Purchase Channel: Azure Blob Storage Hierarchy Management and Anti-leteering Security Configuration
In the era of mobile Internet and big data, almost every team has to face the storage problem of massive unstructured data. Whether it is the user's avatar, audio and video, or the internal contract PDF and system log, it is often on the order of hundreds of TB or even PB.
If these files are all stuffed in the traditional server hard disk, not only is it time-consuming and laborious to expand, but the monthly bill can also kill you. At this moment,
Azure Blob Storage (Microsoft Cloud Object Storage)
It became an absolute standard.
But when many novices use Blob storage, they often throw everything in and finish it. This leads to two serious consequences:
First, whether it is a high-frequency access avatar or a log that has not been read for several years, it is charged at the same high unit price (wallet bleeding); Second, the file link was maliciously stolen after it was made public, resulting in a huge bill overnight (a big security black hole).
Today's tutorial is not nonsense. It will directly take you to deal with the two core things of Blob storage:
Hierarchical lifecycle management (save money) and SAS anti-theft chain security configuration (peace of mind).
The first stage of the 1.: sorting out the three storage tiers of Blob (Access Tiers)
Azure Blob is cheap because it allows you to choose different storage costs based on the "access frequency" of your files. It is like clothes storage, divided into three drawers:
Hot storage layer (Hot): data that is suitable for high frequency access. For example, the video that is being broadcast and the avatar that the user just uploaded. It has the highest unit price for storage, but the fee for reading files is almost zero.
Cold storage layer (Cool): data that is suitable for low-frequency access (such as no more than once in 30 days) but needs to be read instantly. Like last month's bills, short-term backups. The unit price of storage is significantly lower, but a little "stock-out fee" will be charged when reading ".
Archive Storage Tier (Archive): For dead data that is rarely accessed (once every months or even years) and allows for hours of latency. For example, compliance audit logs, historical medical images. Its storage price is negligibly cheap, but to take the file out (rehydrate/Rehydrate), you need to wait a few hours to unfreeze.
2. Practice: Using "Life Cycle Management" to Realize Unattended Automatic Money Saving
If you were asked to manually switch levels of thousands of files, you would have to work overtime until dawn. Azure provides
"Lifecycle Management (Lifecycle Management)"
Function, you just need to set the rules, the rest to the system automatically execute.
1. Configure the scene target
We have a batch of system log files that developers need to check frequently within the first 7 days. After 7 days, basically no one saw it, but it needs to be kept for future reference. Completely reduced to compliance dead data after 180 days, must be retained for 7 years before deletion.
2. Configuration steps
Sign in to Azu
re portal to enter your storage account (Storage Account).
Find and click "Lifecycle Management"-> "Add a rule" in the left-hand menu bar ".
Basic information: Give the rule a name, such as a Log_Optimization_Rule. For the rule scope, select Use filter to restrict the rule (this will only take effect for the log folder without accidentally injuring other data).
Rule Set Configuration (IF/THEN Logic): Step 1 (Convert to Cold Storage): If the base blob is last modified over (days) -> Enter 7. Then perform Action-> Move to Cold Storage. Step 2 (Convert to Archive): Click Add Condition. If the base blob is last modified over (days) -> enter 180. Then do Action-> Move to Archive Storage. Step 3 (Auto Delete): If the base blob is last modified more than (days) -> enter 2555(7 years). Then do Action-> Delete blob.
Filter set: Enter your log folder path in Prefix match, for example, logs/. This means that the rule only applies to files in the logs folder.
Click Save. Now, your storage account has a built-in "financial steward" who automatically moves old files into cheap drawers every day, shatters them when they expire, and instantly smoothes the billing curve.
The second stage of the 3.: pull up the security line-why can't we use "public access"?
Many novices in order to make the front end can be used directly
<img src="...">
The label shows the picture, which saves trouble and directly sets the access level of the Blob container (Container)
"Public"
.
This is equivalent to opening the door of your warehouse directly to the Internet. Anyone who gets this URL can call the download frantically, or use a multi-threaded crawler to strip all your files.
Not only do you leak data privacy, but you also receive an astronomical bill of arrears due to sudden downstream traffic (Egress).
Best practice for production environments: Containers are always "private (Private)" and only provide temporary controlled access through SAS (Shared Access Signature).
4. core protection: configure SAS (shared access signature) anti-theft chain
SAS(Shared Access Signature)
The principle is to add a string of encrypted tokens (Token) after the originally private file URL. This token specifies
Who can access this file in what time period, with what permissions and at what IP.
Original private link: htps:// m
(Direct Access Report 404/403)
▼ After adding SAS token
Anti-theft chain link: https://mystorage.blob.core.windows.net/media/cat.jpg?sv = 2021-08-06 & ss = B & srt = o & sp = r & se = 2026-06-05t08: 00: 00z & sip = 203.0.113.50 & sig = xxxx...
▲ ▲ ▲
(Expiration Time)
1. Actual Combat: Generate SAS Token with Security Restrictions
If you want to dynamically generate this anti-theft chain link in the background code, or manually temporarily generate one for the customer, you can configure it in the Azure portal as follows:
Enter the corresponding Blob container, check a private file, and click the "Generate SAS" tab.
Access (Permissions): Select Read only ". Do not give write or delete permissions to prevent files from being tampered with maliciously.
Expiry: Set a very short expiration time. If it is a web page to display pictures or download attachments, set 15 minutes to 1 hour is enough. Once this point in time is exceeded, the link is automatically invalidated.
Allowed IP addresses (Allowed IP addresses): * High security scenario (anti-theft chain): Fill in the public network IP of your front-end server or the user-specific exit IP. In this way, even if others copy this link with SAS to other people in WeChat group, others because
IP does not match and cannot be opened at all.
Allowed protocols: Force lock "HTTPS only".
Click "Generate SAS Token and URL" and you will get a long connection. Give it out, safe and secure.
2. Architecture Advance: Back-end Dynamic Generation of SAS Process
In a truly fully automatic system, the logic for front-end users to visit web pages should look like this:
The user logs in to your App and requests to view a private invoice.
Your business backend (such as a Java/Python/Node.js service) receives a request to verify that the user does have permission to view.
The backend calls the Azure SDK to dynamically generate a read-only SAS URL in memory that is only valid for 5 minutes.
The back end returns this temporary URL to the front end, and the front end completes the secure loading through the browser within 5 minutes.
Five minutes later, the link became waste paper on the Internet, and it was useless for hackers to use it for secondary dissemination.
5. Pit and Advanced Anti-theft Chain Patch: Combined with Azure CDN
Although SAS can perfectly solve the problem of authentication and timeliness, if your file is a public video to be played to a large number of users around the world (user IP cannot be limited), SAS alone may still be highly concurrent and crazy.
The ultimate architecture at this time is:
Set Blob storage as private, in front of a layer of Azure CDN (Content Delivery Network) or Azure Front Door.
CDN cache decompression: users' repeated requests hit directly at CDN edge nodes, traffic does not flow back to Blob, and the cost plummets by 90%.
CDN domain name anti-theft chain (Referer restriction): open the "referral period check" (Referer Validation) at the CDN layer, stipulating that only requests from your own website domain name (such as https://www.mywebsite.com) are allowed to pass, and directly strangle the external chain reference of the illegal chain thief on the outermost line.
Summary
Massive file management has never been "thrown in" so simple.
With lifecycle management, you let your data learn to "metabolize", leave expensive hot storage to your core business, throw old debts into the frozen archive layer, and save money in the most elegant posture.
Using private container + dynamic short-term SAS token, you give each file an exclusive key with a time bomb, completely bid farewell to the nightmare of malicious theft of traffic.
By incorporating these two configurations into your system design, your cloud storage architecture is truly both smart and powerful.
